Use Criterion always when possible Using Criterion allows to bind values in statements. You can't use Criterion only for strings because in this method you can't distinguish if it is a table name or value provided by user.

Add to Criteria support for IN and NOT IN operators in JOIN conditions e.g. JOIN x ON (x.id = y.x_id AND y.foo IN (42, 51))